FactsDroid - Your Universal Knowledgebase
At very first, install the app on a android device. On opening it ,we get security warning due to the root device and Random Fact button is also disabled.
Opening app on a rooted device
open the application in jadx and go to Resources > lib >arm64-v8a . There is two files libapp.so and libflutter.so , which confirms that app is made in flutter framework.
Opening FactsDroid.apk
Then, we disassemble the app with blutter .
1
python blutter.py ~/FactsDroid.apk/FactsDroid/lib/arm64-v8a/ ~/FactsDroid.apk/FactsDroid/lib/arm64-v8a/output
Content generated by blutter on output directory
On looking for root keyword inside pp.txt , there is clear hint that _checkRootStatus is being called in facts_droid/main.dart
On analysing _ initState , it is calling the _checkRootStatus() .
Just after _initState there is __checkRootStatus
On analysing the _checkRootStatus method, it has stated that its using channel and passing the method isDeviceRooted and invoked it.
So, open the application on jadx-gui and search for isDeviceRooted method.
Here its initializing, boolean z3 = true; means its assuming that device is rooted and, if each root checking test cases is passed its updating the z3 to false and returning the z3 value.
this function is returning value of z3 and its updated to false only after passing all the test cases.
Then we started to patch this function to return false but the function is returning void. So, we can’t simply set make implementation to set return value false.
1
2
3
4
5
6
7
8
9
10
Java.perform(function() {
var HandlerClass = Java.use("B.a");
HandlerClass.g.implementation = function(methodCallObj, resultObj) {
console.log("[*] Bypassing root check...");
var Boolean = Java.use("java.lang.Boolean");
var falseObj = Boolean.valueOf(false);
resultObj.c(falseObj);
return;
};
});
Start the app by spawning with above frida script.
Still we do get this error.
Since, goal is to intercept traffic, we pasted frida script by updating IP and proxy port in frida repl by copying from https://github.com/hackcatml/frida-flutterproxy/blob/main/script.js for patching libapp.so and redirecting traffic to our burpsuite.
Now on again clicking on Random Fact , we are able to intercept the traffic in burpsuite.
Intercepting traffic in burpsuite.
Facts are loaded on app successfully.
This way, we achieved the goal of our challenge FactsDroid .














